From: Doug MacEachern Date: Thu, 28 Mar 2002 18:50:07 +0000 (+0000) Subject: breakup SSLSrvConfigRec in preparation for proxy support: X-Git-Tag: 2.0.34~66 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1d76ab39ff31463d88554a3aa223d7fd1e01a534;p=apache breakup SSLSrvConfigRec in preparation for proxy support: + modssl_pk_server_t - certs/keys for the server + modssl_pk_proxy_t - certs/keys for the proxy + modssl_auth_ctx_t - stuff related to authentication that can also be per-dir, used by both server and proxy + modssl_ctx_t - context that can be used by both server and proxy + SSLSrvConfigRec - now contains original stuff specific to the server config and modssl_ctx_t *server, *proxy git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94267 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 9b88dff07d..314a426e03 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -257,7 +257,7 @@ static int ssl_hook_pre_connection(conn_rec *c, void *csd) * attach this to the socket. Additionally we register this attachment * so we can detach later. */ - if (!(ssl = SSL_new(sc->pSSLCtx))) { + if (!(ssl = SSL_new(sc->server->ssl_ctx))) { ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Unable to create a new SSL connection from the SSL context"); @@ -404,7 +404,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter) sslconn->verify_error) { if (ssl_verify_error_is_optional(verify_result) && - (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) { /* leaving this log message as an error for the moment, * according to the mod_ssl docs: @@ -444,7 +444,7 @@ int ssl_hook_process_connection(SSLFilterRec *filter) * Make really sure that when a peer certificate * is required we really got one... (be paranoid) */ - if ((sc->nVerifyClient == SSL_CVERIFY_REQUIRE) && + if ((sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) && !sslconn->client_cert) { ssl_log(c->base_server, SSL_LOG_ERROR, diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h index 6597a8b150..875e338c05 100644 --- a/modules/ssl/mod_ssl.h +++ b/modules/ssl/mod_ssl.h @@ -468,39 +468,76 @@ typedef struct { } rCtx; } SSLModConfigRec; -/* - * Define the mod_ssl per-server configuration structure - * (i.e. the configuration for the main server - * and all contexts) - */ +/* public cert/private key */ +typedef struct { + /* + * server only has 1-2 certs/keys + * 1 RSA and/or 1 DSA + */ + const char *cert_files[SSL_AIDX_MAX]; + const char *key_files[SSL_AIDX_MAX]; + X509 *certs[SSL_AIDX_MAX]; + EVP_PKEY *keys[SSL_AIDX_MAX]; +} modssl_pk_server_t; + +typedef struct { + /* proxy can have any number of cert/key pairs */ + const char *cert_file; + const char *cert_path; + STACK_OF(X509_INFO) *certs; +} modssl_pk_proxy_t; + +/* stuff related to authentication that can also be per-dir */ +typedef struct { + /* known/trusted CAs */ + const char *ca_cert_path; + const char *ca_cert_file; + + const char *cipher_suite; + + /* for client or downstream server authentication */ + int verify_depth; + ssl_verify_t verify_mode; +} modssl_auth_ctx_t; + +typedef struct SSLSrvConfigRec SSLSrvConfigRec; + typedef struct { + SSLSrvConfigRec *sc; /* pointer back to server config */ + SSL_CTX *ssl_ctx; + + /* we are one or the other */ + modssl_pk_server_t *pks; + modssl_pk_proxy_t *pkp; + + /* config for handling encrypted keys */ + ssl_pphrase_t pphrase_dialog_type; + const char *pphrase_dialog_path; + + const char *cert_chain; + + /* certificate revocation list */ + const char *crl_path; + const char *crl_file; + X509_STORE *crl; + + ssl_proto_t protocol; + + modssl_auth_ctx_t auth; +} modssl_ctx_t; + +struct SSLSrvConfigRec { SSLModConfigRec *mc; - BOOL enabled; - const char *vhost_id; - int vhost_id_len; - const char *log_file_name; - apr_file_t *log_file; - int log_level; - int session_cache_timeout; - - const char *szPublicCertFiles[SSL_AIDX_MAX]; - const char *szPrivateKeyFiles[SSL_AIDX_MAX]; - const char *szCertificateChain; - const char *szCACertificatePath; - const char *szCACertificateFile; - const char *szCipherSuite; - int nVerifyDepth; - ssl_verify_t nVerifyClient; - X509 *pPublicCert[SSL_AIDX_MAX]; - EVP_PKEY *pPrivateKey[SSL_AIDX_MAX]; - SSL_CTX *pSSLCtx; - int nPassPhraseDialogType; - const char *szPassPhraseDialogPath; - ssl_proto_t nProtocol; - const char *szCARevocationPath; - const char *szCARevocationFile; - X509_STORE *pRevocationStore; -} SSLSrvConfigRec; + BOOL enabled; + const char *vhost_id; + int vhost_id_len; + const char *log_file_name; + apr_file_t *log_file; + int log_level; + int session_cache_timeout; + modssl_ctx_t *server; + modssl_ctx_t *proxy; +}; /* * Define the mod_ssl per-directory configuration structure diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index d4e6556815..bfb0d9dc02 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -135,6 +135,53 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc) ** _________________________________________________________________ */ +static void modssl_ctx_init(modssl_ctx_t *ctx, SSLSrvConfigRec *sc) +{ + ctx->sc = sc; + + ctx->ssl_ctx = NULL; + + ctx->pks = NULL; + ctx->pkp = NULL; + + ctx->protocol = SSL_PROTOCOL_ALL; + + ctx->pphrase_dialog_type = SSL_PPTYPE_UNSET; + ctx->pphrase_dialog_path = NULL; + + ctx->cert_chain = NULL; + + ctx->crl_path = NULL; + ctx->crl_file = NULL; + ctx->crl = NULL; + + ctx->auth.ca_cert_path = NULL; + ctx->auth.ca_cert_file = NULL; + ctx->auth.cipher_suite = NULL; + ctx->auth.verify_depth = UNSET; + ctx->auth.verify_mode = SSL_CVERIFY_UNSET; +} + +static void modssl_ctx_init_server(SSLSrvConfigRec *sc, + apr_pool_t *p) +{ + modssl_ctx_t *ctx; + + ctx = sc->server = apr_palloc(p, sizeof(*sc->server)); + + modssl_ctx_init(ctx, sc); + + ctx->pks = apr_palloc(p, sizeof(*ctx->pks)); + + memset((void*)ctx->pks->cert_files, 0, sizeof(ctx->pks->cert_files)); + + memset((void*)ctx->pks->key_files, 0, sizeof(ctx->pks->key_files)); + + memset(ctx->pks->certs, 0, sizeof(ctx->pks->certs)); + + memset(ctx->pks->keys, 0, sizeof(ctx->pks->keys)); +} + /* * Create per-server SSL configuration */ @@ -151,24 +198,7 @@ void *ssl_config_server_create(apr_pool_t *p, server_rec *s) sc->log_level = SSL_LOG_NONE; sc->session_cache_timeout = UNSET; - sc->szCACertificatePath = NULL; - sc->szCACertificateFile = NULL; - sc->szCertificateChain = NULL; - sc->szCipherSuite = NULL; - sc->nVerifyDepth = UNSET; - sc->nVerifyClient = SSL_CVERIFY_UNSET; - sc->nPassPhraseDialogType = SSL_PPTYPE_UNSET; - sc->szPassPhraseDialogPath = NULL; - sc->nProtocol = SSL_PROTOCOL_ALL; - sc->pSSLCtx = NULL; - sc->szCARevocationPath = NULL; - sc->szCARevocationFile = NULL; - sc->pRevocationStore = NULL; - - memset((void*)sc->szPublicCertFiles, 0, sizeof(sc->szPublicCertFiles)); - memset((void*)sc->szPrivateKeyFiles, 0, sizeof(sc->szPrivateKeyFiles)); - memset(sc->pPublicCert, 0, sizeof(sc->pPublicCert)); - memset(sc->pPrivateKey, 0, sizeof(sc->pPrivateKey)); + modssl_ctx_init_server(sc, p); return sc; } @@ -183,6 +213,8 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv; SSLSrvConfigRec *mrg = (SSLSrvConfigRec *)apr_palloc(p, sizeof(*mrg)); + modssl_ctx_init_server(mrg, p); + cfgMerge(mc, NULL); cfgMergeBool(enabled); cfgMergeString(vhost_id); @@ -191,25 +223,25 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) cfgMerge(log_level, SSL_LOG_NONE); cfgMergeInt(session_cache_timeout); - cfgMergeString(szCACertificatePath); - cfgMergeString(szCACertificateFile); - cfgMergeString(szCertificateChain); - cfgMergeString(szCipherSuite); - cfgMergeInt(nVerifyDepth); - cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET); - cfgMerge(nPassPhraseDialogType, SSL_PPTYPE_UNSET); - cfgMergeString(szPassPhraseDialogPath); - cfgMerge(nProtocol, SSL_PROTOCOL_ALL); - cfgMerge(pSSLCtx, NULL); - cfgMerge(szCARevocationPath, NULL); - cfgMerge(szCARevocationFile, NULL); - cfgMerge(pRevocationStore, NULL); + cfgMergeString(server->auth.ca_cert_path); + cfgMergeString(server->auth.ca_cert_file); + cfgMergeString(server->cert_chain); + cfgMergeString(server->auth.cipher_suite); + cfgMergeInt(server->auth.verify_depth); + cfgMerge(server->auth.verify_mode, SSL_CVERIFY_UNSET); + cfgMerge(server->pphrase_dialog_type, SSL_PPTYPE_UNSET); + cfgMergeString(server->pphrase_dialog_path); + cfgMerge(server->protocol, SSL_PROTOCOL_ALL); + cfgMerge(server->ssl_ctx, NULL); + cfgMerge(server->crl_path, NULL); + cfgMerge(server->crl_file, NULL); + cfgMerge(server->crl, NULL); for (i = 0; i < SSL_AIDX_MAX; i++) { - cfgMergeString(szPublicCertFiles[i]); - cfgMergeString(szPrivateKeyFiles[i]); - cfgMerge(pPublicCert[i], NULL); - cfgMerge(pPrivateKey[i], NULL); + cfgMergeString(server->pks->cert_files[i]); + cfgMergeString(server->pks->key_files[i]); + cfgMerge(server->pks->certs[i], NULL); + cfgMerge(server->pks->keys[i], NULL); } return mrg; @@ -330,33 +362,33 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *cmd, void *ctx, } if (strcEQ(arg, "builtin")) { - sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; - sc->szPassPhraseDialogPath = NULL; + sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN; + sc->server->pphrase_dialog_path = NULL; } else if ((arglen > 5) && strEQn(arg, "exec:", 5)) { - sc->nPassPhraseDialogType = SSL_PPTYPE_FILTER; + sc->server->pphrase_dialog_type = SSL_PPTYPE_FILTER; /* ### This is broken, exec: may contain args, no? */ - sc->szPassPhraseDialogPath = + sc->server->pphrase_dialog_path = ap_server_root_relative(cmd->pool, arg+5); - if (!sc->szPassPhraseDialogPath) { + if (!sc->server->pphrase_dialog_path) { return apr_pstrcat(cmd->pool, "Invalid SSLPassPhraseDialog exec: path ", arg+5, NULL); } if (!ssl_util_path_check(SSL_PCM_EXISTS, - sc->szPassPhraseDialogPath, + sc->server->pphrase_dialog_path, cmd->pool)) { return apr_pstrcat(cmd->pool, "SSLPassPhraseDialog: file '", - sc->szPassPhraseDialogPath, + sc->server->pphrase_dialog_path, "' does not exist", NULL); } } else if ((arglen > 1) && (arg[0] == '|')) { - sc->nPassPhraseDialogType = SSL_PPTYPE_PIPE; - sc->szPassPhraseDialogPath = arg + 1; + sc->server->pphrase_dialog_type = SSL_PPTYPE_PIPE; + sc->server->pphrase_dialog_path = arg + 1; } else { return "SSLPassPhraseDialog: Invalid argument"; @@ -509,7 +541,7 @@ const char *ssl_cmd_SSLCipherSuite(cmd_parms *cmd, void *ctx, dc->szCipherSuite = arg; } else { - sc->szCipherSuite = arg; + sc->server->auth.cipher_suite = arg; } return NULL; @@ -581,11 +613,11 @@ static const char *ssl_cmd_check_aidx_max(cmd_parms *parms, switch (idx) { case SSL_AIDX_CERTS: desc = "certificates"; - files = sc->szPublicCertFiles; + files = sc->server->pks->cert_files; break; case SSL_AIDX_KEYS: desc = "private keys"; - files = sc->szPrivateKeyFiles; + files = sc->server->pks->key_files; break; } @@ -637,7 +669,7 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *ctx, return err; } - sc->szCertificateChain = arg; + sc->server->cert_chain = arg; return NULL; } @@ -663,7 +695,7 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd, void *ctx, const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx, const char *arg) { - SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; + /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; @@ -671,7 +703,8 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx, return err; } - MODSSL_SET_CA(szCACertificatePath); + /* XXX: bring back per-dir */ + sc->server->auth.ca_cert_path = arg; return NULL; } @@ -679,7 +712,7 @@ const char *ssl_cmd_SSLCACertificatePath(cmd_parms *cmd, void *ctx, const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx, const char *arg) { - SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx; + /*SSLDirConfigRec *dc = (SSLDirConfigRec *)ctx;*/ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); const char *err; @@ -687,7 +720,8 @@ const char *ssl_cmd_SSLCACertificateFile(cmd_parms *cmd, void *ctx, return err; } - MODSSL_SET_CA(szCACertificateFile); + /* XXX: bring back per-dir */ + sc->server->auth.ca_cert_file = arg; return NULL; } @@ -702,7 +736,7 @@ const char *ssl_cmd_SSLCARevocationPath(cmd_parms *cmd, void *ctx, return err; } - sc->szCARevocationPath = arg; + sc->server->crl_path = arg; return NULL; } @@ -717,7 +751,7 @@ const char *ssl_cmd_SSLCARevocationFile(cmd_parms *cmd, void *ctx, return err; } - sc->szCARevocationFile = arg; + sc->server->crl_file = arg; return NULL; } @@ -763,7 +797,7 @@ const char *ssl_cmd_SSLVerifyClient(cmd_parms *cmd, void *ctx, dc->nVerifyClient = id; } else { - sc->nVerifyClient = id; + sc->server->auth.verify_mode = id; } return NULL; @@ -798,7 +832,7 @@ const char *ssl_cmd_SSLVerifyDepth(cmd_parms *cmd, void *ctx, dc->nVerifyDepth = depth; } else { - sc->nVerifyDepth = depth; + sc->server->auth.verify_depth = depth; } return NULL; @@ -1141,7 +1175,7 @@ const char *ssl_cmd_SSLProtocol(cmd_parms *cmd, void *ctx, { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - return ssl_cmd_protocol_parse(cmd, opt, &sc->nProtocol); + return ssl_cmd_protocol_parse(cmd, opt, &sc->server->protocol); } #ifdef SSL_EXPERIMENTAL_PROXY diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index 975b74d390..4d29d19c52 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -239,8 +239,8 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, sc->session_cache_timeout = SSL_SESSION_CACHE_TIMEOUT; } - if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET) { - sc->nPassPhraseDialogType = SSL_PPTYPE_BUILTIN; + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_UNSET) { + sc->server->pphrase_dialog_type = SSL_PPTYPE_BUILTIN; } /* Open the dedicated SSL logfile */ @@ -374,7 +374,7 @@ static void ssl_init_server_check(server_rec *s, * check for important parameters and the * possibility that the user forgot to set them. */ - if (!sc->szPublicCertFiles[0]) { + if (!sc->server->pks->cert_files[0]) { ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "No SSL Certificate set [hint: SSLCertificateFile]"); ssl_die(); @@ -383,8 +383,8 @@ static void ssl_init_server_check(server_rec *s, /* * Check for problematic re-initializations */ - if (sc->pPublicCert[SSL_AIDX_RSA] || - sc->pPublicCert[SSL_AIDX_DSA]) + if (sc->server->pks->certs[SSL_AIDX_RSA] || + sc->server->pks->certs[SSL_AIDX_DSA]) { ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Illegal attempt to re-initialise SSL for server " @@ -400,7 +400,7 @@ static SSL_CTX *ssl_init_ctx(server_rec *s, { SSL_CTX *ctx = NULL; char *cp; - int protocol = sc->nProtocol; + int protocol = sc->server->protocol; /* * Create the new per-server SSL context @@ -428,7 +428,7 @@ static SSL_CTX *ssl_init_ctx(server_rec *s, ctx = SSL_CTX_new(SSLv23_server_method()); /* be more flexible */ } - sc->pSSLCtx = ctx; + sc->server->ssl_ctx = ctx; SSL_CTX_set_options(ctx, SSL_OP_ALL); @@ -459,7 +459,7 @@ static void ssl_init_ctx_session_cache(server_rec *s, apr_pool_t *ptemp, SSLSrvConfigRec *sc) { - SSL_CTX *ctx = sc->pSSLCtx; + SSL_CTX *ctx = sc->server->ssl_ctx; SSLModConfigRec *mc = myModConfig(s); long cache_mode = SSL_SESS_CACHE_OFF; @@ -483,7 +483,7 @@ static void ssl_init_ctx_callbacks(server_rec *s, apr_pool_t *ptemp, SSLSrvConfigRec *sc) { - SSL_CTX *ctx = sc->pSSLCtx; + SSL_CTX *ctx = sc->server->ssl_ctx; SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); @@ -499,28 +499,28 @@ static void ssl_init_ctx_verify(server_rec *s, apr_pool_t *ptemp, SSLSrvConfigRec *sc) { - SSL_CTX *ctx = sc->pSSLCtx; + SSL_CTX *ctx = sc->server->ssl_ctx; int verify = SSL_VERIFY_NONE; STACK_OF(X509_NAME) *ca_list; - if (sc->nVerifyClient == SSL_CVERIFY_UNSET) { - sc->nVerifyClient = SSL_CVERIFY_NONE; + if (sc->server->auth.verify_mode == SSL_CVERIFY_UNSET) { + sc->server->auth.verify_mode = SSL_CVERIFY_NONE; } - if (sc->nVerifyDepth == UNSET) { - sc->nVerifyDepth = 1; + if (sc->server->auth.verify_depth == UNSET) { + sc->server->auth.verify_depth = 1; } /* * Configure callbacks for SSL context */ - if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { + if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) { verify |= SSL_VERIFY_PEER_STRICT; } - if ((sc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || - (sc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) + if ((sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) || + (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) { verify |= SSL_VERIFY_PEER; } @@ -530,13 +530,13 @@ static void ssl_init_ctx_verify(server_rec *s, /* * Configure Client Authentication details */ - if (sc->szCACertificateFile || sc->szCACertificatePath) { + if (sc->server->auth.ca_cert_file || sc->server->auth.ca_cert_path) { ssl_log(s, SSL_LOG_TRACE|SSL_INIT, "Configuring client authentication"); if (!SSL_CTX_load_verify_locations(ctx, - sc->szCACertificateFile, - sc->szCACertificatePath)) + sc->server->auth.ca_cert_file, + sc->server->auth.ca_cert_path)) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, "Unable to configure verify locations " @@ -545,8 +545,8 @@ static void ssl_init_ctx_verify(server_rec *s, } ca_list = ssl_init_FindCAList(s, ptemp, - sc->szCACertificateFile, - sc->szCACertificatePath); + sc->server->auth.ca_cert_file, + sc->server->auth.ca_cert_path); if (!ca_list) { ssl_log(s, SSL_LOG_ERROR|SSL_INIT, "Unable to determine list of available " @@ -561,7 +561,7 @@ static void ssl_init_ctx_verify(server_rec *s, * Give a warning when no CAs were configured but client authentication * should take place. This cannot work. */ - if (sc->nVerifyClient == SSL_CVERIFY_REQUIRE) { + if (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE) { ca_list = (STACK_OF(X509_NAME) *)SSL_CTX_get_client_CA_list(ctx); if (sk_X509_NAME_num(ca_list) == 0) { @@ -578,8 +578,8 @@ static void ssl_init_ctx_cipher_suite(server_rec *s, apr_pool_t *ptemp, SSLSrvConfigRec *sc) { - SSL_CTX *ctx = sc->pSSLCtx; - const char *suite = sc->szCipherSuite; + SSL_CTX *ctx = sc->server->ssl_ctx; + const char *suite = sc->server->auth.cipher_suite; /* * Configure SSL Cipher Suite @@ -608,18 +608,18 @@ static void ssl_init_ctx_crl(server_rec *s, * Configure Certificate Revocation List (CRL) Details */ - if (!(sc->szCARevocationFile || sc->szCARevocationPath)) { + if (!(sc->server->crl_file || sc->server->crl_path)) { return; } ssl_log(s, SSL_LOG_TRACE|SSL_INIT, "Configuring certificate revocation facility"); - sc->pRevocationStore = - SSL_X509_STORE_create((char *)sc->szCARevocationFile, - (char *)sc->szCARevocationPath); + sc->server->crl = + SSL_X509_STORE_create((char *)sc->server->crl_file, + (char *)sc->server->crl_path); - if (!sc->pRevocationStore) { + if (!sc->server->crl) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, "Unable to configure X.509 CRL storage " "for certificate revocation"); @@ -634,7 +634,7 @@ static void ssl_init_ctx_cert_chain(server_rec *s, { BOOL skip_first = TRUE; int i, n; - const char *chain = sc->szCertificateChain; + const char *chain = sc->server->cert_chain; /* * Optionally configure extra server certificate chain certificates. @@ -654,14 +654,14 @@ static void ssl_init_ctx_cert_chain(server_rec *s, return; } - for (i = 0; (i < SSL_AIDX_MAX) && sc->szPublicCertFiles[i]; i++) { - if (strEQ(sc->szPublicCertFiles[i], chain)) { + for (i = 0; (i < SSL_AIDX_MAX) && sc->server->pks->cert_files[i]; i++) { + if (strEQ(sc->server->pks->cert_files[i], chain)) { skip_first = TRUE; break; } } - n = SSL_CTX_use_certificate_chain(sc->pSSLCtx, + n = SSL_CTX_use_certificate_chain(sc->server->ssl_ctx, (char *)chain, skip_first, NULL); if (n < 0) { @@ -701,13 +701,13 @@ static int ssl_server_import_cert(server_rec *s, ssl_die(); } - if (SSL_CTX_use_certificate(sc->pSSLCtx, cert) <= 0) { + if (SSL_CTX_use_certificate(sc->server->ssl_ctx, cert) <= 0) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, "Unable to configure %s server certificate", type); ssl_die(); } - sc->pPublicCert[idx] = cert; + sc->server->pks->certs[idx] = cert; return TRUE; } @@ -739,7 +739,7 @@ static int ssl_server_import_key(server_rec *s, ssl_die(); } - if (SSL_CTX_use_PrivateKey(sc->pSSLCtx, pkey) <= 0) { + if (SSL_CTX_use_PrivateKey(sc->server->ssl_ctx, pkey) <= 0) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR|SSL_INIT, "Unable to configure %s server private key", type); ssl_die(); @@ -749,8 +749,8 @@ static int ssl_server_import_key(server_rec *s, * XXX: wonder if this is still needed, this is old todo doc. * (see http://www.psy.uq.edu.au/~ftp/Crypto/ssleay/TODO.html) */ - if ((pkey_type == EVP_PKEY_DSA) && sc->pPublicCert[idx]) { - EVP_PKEY *pubkey = X509_get_pubkey(sc->pPublicCert[idx]); + if ((pkey_type == EVP_PKEY_DSA) && sc->server->pks->certs[idx]) { + EVP_PKEY *pubkey = X509_get_pubkey(sc->server->pks->certs[idx]); if (pubkey && EVP_PKEY_missing_parameters(pubkey)) { EVP_PKEY_copy_parameters(pubkey, pkey); @@ -759,7 +759,7 @@ static int ssl_server_import_key(server_rec *s, } } - sc->pPrivateKey[idx] = pkey; + sc->server->pks->keys[idx] = pkey; return TRUE; } @@ -847,7 +847,7 @@ static void ssl_init_server_certs(server_rec *s, } for (i = 0; i < SSL_AIDX_MAX; i++) { - ssl_check_public_cert(s, ptemp, sc->pPublicCert[i], i); + ssl_check_public_cert(s, ptemp, sc->server->pks->certs[i], i); } have_rsa = ssl_server_import_key(s, sc, rsa_id, SSL_AIDX_RSA); @@ -1107,17 +1107,17 @@ apr_status_t ssl_init_ModuleKill(void *data) for (i=0; i < SSL_AIDX_MAX; i++) { MODSSL_CFG_ITEM_FREE(X509_free, - sc->pPublicCert[i]); + sc->server->pks->certs[i]); MODSSL_CFG_ITEM_FREE(EVP_PKEY_free, - sc->pPrivateKey[i]); + sc->server->pks->keys[i]); } MODSSL_CFG_ITEM_FREE(X509_STORE_free, - sc->pRevocationStore); + sc->server->crl); MODSSL_CFG_ITEM_FREE(SSL_CTX_free, - sc->pSSLCtx); + sc->server->ssl_ctx); } /* diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 69b3e136f3..efd745cedf 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -497,7 +497,7 @@ int ssl_hook_Access(request_rec *r) if (dc->nVerifyDepth != UNSET) { /* XXX: doesnt look like sslconn->verify_depth is actually used */ if (!(n = sslconn->verify_depth)) { - sslconn->verify_depth = n = sc->nVerifyDepth; + sslconn->verify_depth = n = sc->server->auth.verify_depth; } /* determine whether a renegotiation has to be forced */ @@ -1301,7 +1301,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) verify = dc->nVerifyClient; } else { - verify = sc->nVerifyClient; + verify = sc->server->auth.verify_mode; } if (ssl_verify_error_is_optional(errnum) && @@ -1344,7 +1344,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) depth = dc->nVerifyDepth; } else { - depth = sc->nVerifyDepth; + depth = sc->server->auth.verify_depth; } if (errdepth > depth) { @@ -1378,7 +1378,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s) * Unless a revocation store for CRLs was created we * cannot do any CRL-based verification, of course. */ - if (!sc->pRevocationStore) { + if (!sc->server->crl) { return ok; } @@ -1425,7 +1425,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s) * the current certificate in order to verify it's integrity. */ memset((char *)&obj, 0, sizeof(obj)); - rc = SSL_X509_STORE_lookup(sc->pRevocationStore, + rc = SSL_X509_STORE_lookup(sc->server->crl, X509_LU_CRL, subject, &obj); crl = obj.data.crl; @@ -1502,7 +1502,7 @@ int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, server_rec *s) * the current certificate in order to check for revocation. */ memset((char *)&obj, 0, sizeof(obj)); - rc = SSL_X509_STORE_lookup(sc->pRevocationStore, + rc = SSL_X509_STORE_lookup(sc->server->crl, X509_LU_CRL, issuer, &obj); crl = obj.data.crl; diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c index 31a9b6f0c7..e74f8e4d47 100644 --- a/modules/ssl/ssl_engine_pphrase.c +++ b/modules/ssl/ssl_engine_pphrase.c @@ -213,7 +213,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) * Read in server certificate(s): This is the easy part * because this file isn't encrypted in any way. */ - if (sc->szPublicCertFiles[0] == NULL) { + if (sc->server->pks->cert_files[0] == NULL) { ssl_log(pServ, SSL_LOG_ERROR|SSL_INIT, "Server should be SSL-aware but has no certificate configured " "[Hint: SSLCertificateFile]"); @@ -221,9 +221,9 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) } algoCert = SSL_ALGO_UNKNOWN; algoKey = SSL_ALGO_UNKNOWN; - for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->szPublicCertFiles[i] != NULL; i++) { + for (i = 0, j = 0; i < SSL_AIDX_MAX && sc->server->pks->cert_files[i] != NULL; i++) { - apr_cpystrn(szPath, sc->szPublicCertFiles[i], sizeof(szPath)); + apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath)); if ( exists_and_readable(szPath, p, NULL) != APR_SUCCESS ) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_ERRNO, "Init: Can't open server certificate file %s", szPath); @@ -282,8 +282,8 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) * phrase for all). When this is the case we can minimize the dialogs * by trying to re-use already known/entered pass phrases. */ - if (sc->szPrivateKeyFiles[j] != NULL) - apr_cpystrn(szPath, sc->szPrivateKeyFiles[j++], sizeof(szPath)); + if (sc->server->pks->key_files[j] != NULL) + apr_cpystrn(szPath, sc->server->pks->key_files[j++], sizeof(szPath)); /* * Try to read the private key file with the help of @@ -390,10 +390,10 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) * chances... */ #ifndef WIN32 - if ((sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN - || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) + if ((sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN + || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) #else - if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE #endif && cpPassPhraseCur != NULL && nPassPhraseRetry < BUILTIN_DIALOG_RETRIES ) { @@ -408,7 +408,7 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) continue; } #ifdef WIN32 - if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN) { ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: PassPhraseDialog BuiltIn not supported in server private key from file %s", szPath); ssl_die(); @@ -429,16 +429,16 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) else { ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Private key not found"); } - if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN - || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN + || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { apr_file_printf(writetty, "Apache:mod_ssl:Error: Private key not found.\n"); apr_file_printf(writetty, "**Stopped\n"); } } else { ssl_log(pServ, SSL_LOG_ERROR|SSL_ADD_SSLERR, "Init: Pass phrase incorrect"); - if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN - || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN + || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { apr_file_printf(writetty, "Apache:mod_ssl:Error: Pass phrase incorrect.\n"); apr_file_printf(writetty, "**Stopped\n"); } @@ -524,8 +524,8 @@ void ssl_pphrase_Handle(server_rec *s, apr_pool_t *p) */ if (nPassPhraseDialog > 0) { sc = mySrvConfig(s); - if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN - || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN + || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { apr_file_printf(writetty, "\n"); apr_file_printf(writetty, "Ok: Pass Phrase Dialog successful.\n"); } @@ -667,21 +667,21 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) /* * Builtin or Pipe dialog */ - if (sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN - || sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN + || sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { char *prompt; int i; - if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { if (!readtty) { ssl_log(s, SSL_LOG_INFO, "Init: Creating pass phrase dialog pipe child '%s'", - sc->szPassPhraseDialogPath); - if (ssl_pipe_child_create(p, sc->szPassPhraseDialogPath) + sc->server->pphrase_dialog_path); + if (ssl_pipe_child_create(p, sc->server->pphrase_dialog_path) != APR_SUCCESS) { ssl_log(s, SSL_LOG_ERROR, "Init: Failed to create pass phrase pipe '%s'", - sc->szPassPhraseDialogPath); + sc->server->pphrase_dialog_path); PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); return (-1); @@ -690,7 +690,7 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) ssl_log(s, SSL_LOG_INFO, "Init: Requesting pass phrase via piped dialog"); } - else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */ + else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ #ifdef WIN32 PEMerr(PEM_F_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); @@ -735,10 +735,10 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) apr_file_puts(prompt, writetty); for (;;) { - if (sc->nPassPhraseDialogType == SSL_PPTYPE_PIPE) { + if (sc->server->pphrase_dialog_type == SSL_PPTYPE_PIPE) { i = pipe_get_passwd_cb(buf, bufsize, "", FALSE); } - else { /* sc->nPassPhraseDialogType == SSL_PPTYPE_BUILTIN */ + else { /* sc->server->pphrase_dialog_type == SSL_PPTYPE_BUILTIN */ i = EVP_read_pw_string(buf, bufsize, "", FALSE); } if (i != 0) { @@ -757,8 +757,8 @@ int ssl_pphrase_Handle_CB(char *buf, int bufsize, int verify, void *srv) /* * Filter program */ - else if (sc->nPassPhraseDialogType == SSL_PPTYPE_FILTER) { - const char *cmd = sc->szPassPhraseDialogPath; + else if (sc->server->pphrase_dialog_type == SSL_PPTYPE_FILTER) { + const char *cmd = sc->server->pphrase_dialog_path; const char **argv = apr_palloc(p, sizeof(char *) * 4); char *result;